Layer7 Access Management

Expand all | Collapse all

Can the same webagent protect two resources at different authentication levels ?

Jump to Best Answer
  • 1.  Can the same webagent protect two resources at different authentication levels ?

    Posted 09-21-2017 03:08 PM

    Hello,

     

    Scenario:
    -------------
    Webagent name:  test_agent
    Protected URLs:  /application1
                                 /application2

     

    We want to protect /application1 at authentication level 10
                             and /application2 at authentication level 5.


    Are the below configuration possible for the same webagent: test_agent:

    1. If a user tries to access resource /application1, the webagent returns a level 10 SMSESSION cookie.
    2. If a user tries to access resource /application2, the webagent returns a level 5 SMSESSION cookie.

     

     

    Thanks,
    Mitesh



  • 2.  Re: Can the same webagent protect two resources at different authentication levels ?

    Posted 09-21-2017 03:15 PM

    Yes this is supported.

     

    Realm-1 : /application-1    --> Protected using AuthScheme-Level-10.

    Realm-2 : /application-2    --> Protected using AuthScheme-Level-5.

     

    If it is two different applications, I'd separate them into two different Policy Domains.

     

    PolicyDomain-App1:

    test_agent --> AgentGroup-App1 --> Realm-1 : /application-1    --> Protected using AuthScheme-Level-10.

     

    PolicyDomain-App2:

    test_agent --> AgentGroup-App2 --> Realm-1 : /application-2    --> Protected using AuthScheme-Level-05.

     

    We hope you are aware of the rule of SSO & User Experience when traversing across realms which has different Authentication levels.



  • 3.  Re: Can the same webagent protect two resources at different authentication levels ?

    Posted 09-21-2017 03:37 PM

    Hubert,

    Thank you for your prompt response.

     

    Just to reconfirm, we using only one policy domain.

     

    Can you point me to the Siteminder guide where this is documented - wrt the fact that one webagent can protect resources at different auth levels on the same policy domain ?

     

    Thank you for your help.

    Mitesh



  • 4.  Re: Can the same webagent protect two resources at different authentication levels ?

    Posted 09-21-2017 04:02 PM

    Hopefully this helps!

     

    https://support.ca.com/cadocs/0/CA%20SiteMinder%20%20Secure%20Proxy%20Server%20r12%200%20SP3-ENU/Bookshelf_Files/HTML/index.htm?toc.htm?283504.html

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes#AuthenticationSchemes-ProtectionLevels

     

    Now if we are specifically looking for a statement "Single/Same WebAgent protecting two unique resources with their respective realms & auth scheme on different protection level", I doubt we are going find such a statement.



  • 5.  Re: Can the same webagent protect two resources at different authentication levels ?

    Posted 09-21-2017 04:23 PM

    Thank you Hubert.

     

    In our organization, we have a custom authentication scheme levels: 5, 10, 15.

    level 0 is for unprotected resources. Level 15 for the highest security resources.

     

    For the current webagent there is only one realm with authentication scheme: level 10 - that is currently protecting /application1

     

    So basically, we will have to add one more realm with level 5 and protect /application2 URI against this new realm.

     

    Is this understanding correct ?

     

    Also I found the below document which has instructions on creating a new realm.

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/realms-overview/configure-realms

     

    In summary, we can refer to this documentation to create the new realm at level 5 for the same webagent and protect URI /application2. Please confirm.

     

    Thank you for all your help.

     

    Mitesh



  • 6.  Re: Can the same webagent protect two resources at different authentication levels ?
    Best Answer

    Posted 09-21-2017 05:16 PM

    Mitesh

     

    The Protection Level is defined within the Authentication Scheme.

     

    We create the realm (with resource filter i.e. URI to be protected) and associate the Authentication Scheme to the realm. That is how the protection level from the Authentication Scheme gets applied to the Realm.

     

     

     

     



  • 7.  Re: Can the same webagent protect two resources at different authentication levels ?

    Posted 09-21-2017 05:24 PM

    Thank you Hubert. This helps a lot.